Boilerplate: Update to f1ce2ebcab3cd03ddb7c46d1c8c96a810d5d5ca1 (#212)

Conventions:
- openshift/golang-osd-operator: Update
---
openshift/boilerplate@b0a2063...f1ce2eb

commit: 7c59357bf444030bc731acac184fed2aa8a2bf1a
author: Andrew Pantuso
fix: bump OPM version for opm-build-push

commit: 7d3fe8364cdae48e94201f63d57ff20e0e470ed7
author: Andrew Pantuso
fix: permit docker with config option for opm-build-push

commit: 08bf780089af601a3554931e1342d81238286396
author: klin
update ubi image tag

commit: 93bb8c3b6f9636c582f4b1e642f259cf569283ab
author: klin
update ubi image

commit: efe22eed1a95a5820f9011c979e8bc25933f2587
author: Supreeth Basabattini
Add container-make targets

commit: b8febb30962c92e9406143e24292249d38bc5064
author: Michael Shen
Make env var optional for operator containers

Signed-off-by: Michael Shen <[email protected]>

commit: 6f0a5c1385f7b48ff30f7ae49cfbddee775ab88a
author: Ravi Trivedi
Ignoring autogenerated zz files for codecov

commit: b2b57ed9f0d2ebe75dfeea3bb13d360aba460d8a
author: Ravi Trivedi
Ignoring mock clients for codecov

commit: 9520d29ded3d9dda08172165e6e15bc31a72ce4c
author: Matt Bargenquast
Set main package to base dir in new SDK

commit: 350f8631ecf20a852b82a0f90b7bcfea8ff19845
author: Antony Natale
OSD-12367: update to fix skopeo version dependency (#236)

* update to fix skopeo version dependency

* typo fix

* typo fix

commit: 4c70ca1b4f70da2a3a4606e37bf0d2caa23dc120
author: Antony Natale
fix quoting

commit: b6c8caca3763c7d3b85783b327f29afbaecaaffb
author: Antony Natale
added more error checking

commit: f6c47f83a2fff43c027d22ff2c93e56496f8e27f
author: Antony Natale
added other commented fixes from last PR

commit: b71e2da17b3d1eb344b57ce6dad8637ac71561ff
author: Antony Natale
fixes error check on opm command

commit: 7db0538e630305a5ba047aa7ceef7bd78adb8f86
author: Antony Natale
OSD-11742, OSD-12367 - bug and CVE fixes for catalog operators (#234)

* base changes and logic set, needs polishing

* adds printout of first run, undos changes made for local testing

* update custom catalog makefile to match golang and better handle podman vs docker

* fix typos and clean up

* made suggested changes

* remove unwanted testing values

commit: 79cb8136e506524e740d78aff414e419415017ea
author: Alex Vulaj
Only remove for darwin/mac

commit: 21b4ed75091749567ff9f53367e4303f850a0ef5
author: Alex Vulaj
Remove :Z mount option for podman in container-make

commit: fe734d5a42331418c0630cfe1e86221e8e995320
author: Eric Fried
Fix golang-lint README

It touted the wrong `make` target name.

commit: 7c5112a0a8e3d187f56384efac222200b9b10244
author: Benjamin Dematteo
Fixing the variable assignment

commit: 1a05b3e6572eb37bd2098267287afc3dc35dead9
author: Supreeth Basabattini
Automate migration to an extent

commit: 8e0880fc695a2421cdd400249690a997ce50ff11
author: Antony Natale
changes source of operator name as it is not compatible with jenkins pipeline

commit: 9744d76fc22d4b838dadee9fb229f5e591e837ac
author: John Roche
Change to a template file

commit: ec6e7a3e70bb23401df5f7e333569fdef2535c4e
author: Supreeth Basabattini
Remove support for CRDv1beta1 in boilerplate

Removed op-generate-crd-fixup test case

commit: 16924d60224e73f7d5b82c652fc9e28fb18794a5
author: Ravi Trivedi
Adding initializer for debugging purpose

commit: ffc15d3682ce1f84f37499fd65c472dc60623ecf
author: Haoran Wang
generate CRD v1 by default

commit: 1e947d2b7daee575dbc0283c647b9945a8081c8f
author: Haoran Wang
1. Set a home dir that are writable when do go test to workaround the (#224)

issue we have in openshift ci
2. Set the test binary bin dir to a tmp dir

commit: 8f3dfee52954fecbb9b834676f3bfc435619d9d7
author: Supreeth Basabattini
Remove explicit configuration of envtest bin directory

commit: 95509602ef9a3fe37a23f3b15d0f013918d2cebb
author: Supreeth Basabattini
Fix openapi-gen versioning for new o-sdk

commit: 39cc9e896380f04987f92d5a5aeec331966e2d1e
author: Supreeth Basabattini
Include openapi-gen and setup-envtest in the backing image

commit: 1d6d39398ec892deec3add7f9b0c3d616af1a60a
author: Supreeth Basabattini
Fix incorrect bash syntax

commit: 1f0fa3dc4630b115897dcadf1cf2f25edfa3a731
author: Ravi Trivedi
Rebuild registry image from 4.10.0 into a ubi-micro image

commit: bac2488ea130d26848df3cba7ccc1ef98496b436
author: Haoran Wang
Update boilerplate to support latest osdk

use controller-gen v0.3.0 when it's using old osdk

Address some comments

use controller-gen in the baking image

commit: 210292d58116f6c5981e1ab43b5d6543fb8a070d
author: Haoran Wang
install v0.8.0 controller-gen in the backing image

commit: 9fa3022a5f8c00b7f5e1e10f6f935162c1741a21
author: John Roche
make target for fips on osd operators

commit: e35d0f5c1aa9ef8b22ede5e2bd7f674d2f07b3ba
author: Michael Shen
Initial prow-config addition

Signed-off-by: Michael Shen <[email protected]>

commit: a078e1ce4ffd8607b13f398e7bcab5cc759fa864
author: Michael Shen
Unexport GOFLAGS to fix bug when using container-make

Signed-off-by: Michael Shen <[email protected]>

commit: b99a046991521f41600c897354009b93dee15e33
author: Benjamin Dematteo
Fixing errors from golang-lint (in standard.mk)

commit: 3560610f126217211ad9663f8e5729ffee2735c6
author: Benson Ngoy
USER 1001 doesn't have pip install permissions + updating pip

commit: bbf4703f01903064bf1d2f79a0e893f8535ce048
author: Wesley Hearn
[OSD-10491] Bump urllib3 version (#209)

* [OSD-10491] Bump urllib3 version

* Update catalog-build.sh

Remove the --upgrade from the pip3 install

commit: c06911de4e086ff74e40cc31f018a71f72b9b408
author: Michael Shen
Initial commit for osd-container-image convention

Signed-off-by: Michael Shen <[email protected]>

commit: b924e51f50330cd4e7279acc102b7e1adc29f338
author: Benjamin Dematteo
update README for new conventions

commit: 7788244648e463fac115937799297d6eab204179
author: Benjamin Dematteo
updating with PR Review comments

commit: 1c13a6d23ef92603bbae32d5fb8f543789fc579c
author: Christoph Blecker
Update image tag in test files

commit: 4d1f8a2678f70f7c64c0ae16800049e3feee64cc
author: Christoph Blecker
Update build_image script to work with RHEL8/go1.17

commit: 35820443749339ecb2f9d5d5ff7df0f43b159776
author: Christoph Blecker
Switch to RHEL8 builder image

commit: 03deceeda6b7b39b22e4eae06d59de78e5fdbbf0
author: Eric Fried
Update README for image tagging quirks

Clarify a couple of things in the README wrt image tagging:
- You have to push the new tag to your `origin` as well as `upstream`.
- You have to edit the tag in a couple of in-repo files as well.

commit: b1c28646013edcecdcc7ab0631bd43c3183184b4
author: Eric Fried
Fix broken link in README

The release repo moved the file where we import our backing image.

commit: 31bf3b7e35fc1f900aa7e1d8ae61e7c209182181
author: Ron Green
feat(golangci): add gosec

per ticket  OSD-10161, this change should be running via CI on all osd operators.

this way we are always compliant to the gosec (as we have done one audit a forever ago and cleaned issues

this change should get approval before merging as this might cause initial work to upgrade to this version of boilerplate

commit: 7d81a9d4ba6ed1b17ed0f0ceee85cb9def9884d4
author: Benjamin Dematteo
Initial commit for golang-codecov and golang-lint conventions

commit: 35c3064256d88136a6eaa75ced0660a7426d3c70
author: Eric Fried
Remove support for hack/generate-operator-bundle.py

Support for using a "local" (within the consuming repo)
hack/generate-operator-bundle.py script was included as a bridge while
consumers were cutting over to use the common bundle generator. That has
happened. Get rid of the old script, make targets, and support.

commit: 5f249984fba668d090b3ee2194dd0e98e506d43c
author: Ron Green
fix(CONTAINER_ENGINE): allow setting the env

after #201 didn't work, I updated it a bit

now you can set the env and it's not overriden

commit: 304c86f779a2b8cb3daf8f02ae06fc0afe158bca
author: Matt Bargenquast
Support empty SaaS repositories

commit: aa424cb414d16f5227ad15815487932f3ea7276c
author: Ron Green
fix(CONTAINER_ENGINE): allow setting the env

this allows setting the image from an external source (additional checks might be required)

commit: 2c52f542c9e5baf4bd77ed126e70c0c207829cdc
author: Christoph Blecker
Always re-pull the FROM images on container build

commit: e2466bb12ad455410516761fdc90e9ea2381439d
author: Matt Bargenquast
App-SRE testing docs should suggest to rebase saas fork

commit: 4cc462fca11eecd6e25b3ffca74a7b966470d623
author: Eric Fried
golang-osd-operator appsre: Fix docker login

When stealing (ahem, "reappropriating") podman/docker-accommodating
App-SRE pipeline code when hive switched to a rhel8 jenkins node, we
found a latent bug on the docker side: the `REGISTRY_AUTH_FILE` variable
needs to point to an actual file, not just the directory in which the
file is located. Contributing the fix back "upstream".

commit: eefc1c43ec3a9717f6017fd747134568192e634d
author: Candace Sheremeta
Add OPERATOR_IMAGE as an env var for OSD operators

commit: 1e7de2c16f088bbb18c7a83835870c3e6a35318b
author: Dustin Row
Add --pull to build command for operator-registry build for security fixes

commit: 14bb7be131c97bb6271e78c4c211224f6d9a775d
author: Dustin Row
Revert "Update operator-registry base image to 4.9.0"

commit: 3af04216b99e713d24a3ba527c283d9f45c3e7df
author: Dustin Row
Update operator-registry base image to 4.9.0

commit: 8f2bc55518f69bd5cd6cd9c73cba4b689fce5858
author: Karthik Perumal
more loose ends being fixed

commit: 4ab8860af2acc2eebc38ce96247134df4a432a83
author: Karthik Perumal
Fix a few small issues with custom catalog convention

commit: 253f82a45b2f5f57302e59ca6f355201ff9860bb
author: Karthik Perumal
Apply suggestions from code review

Co-authored-by: Eric Fried <[email protected]>

commit: cc0ae4d07927030d527849d0834b84ba0fd51b2e
author: Karthik Perumal
fix make default target's grep

Co-authored-by: Eric Fried <[email protected]>

commit: 9d78a55603eeb6f312e18ce1a8e23b41b5e7e6bf
author: Karthik Perumal
clean-up custom catalog convention as per review

commit: b8892e15fd675c2f137a1b20df604c6a95a5b1d3
author: Karthik Perumal
fix typo

Co-authored-by: Eric Fried <[email protected]>

commit: 6c8a1d587dd975b0bced42560c85399cf3b1500d
author: Karthik Perumal
Add custom-catalog-osd-operator convention to boilerplate upstream [OSD-7284]

commit: e26f6048109a5403a55f3008fee7c66e29e93c82
author: Benson Ngoy
OSD-7604 - CRDs don't have a spec.version field in v1

commit: 5ad097e2fd2103bfe9bd007a68c5d3bc46e95fbe
author: Eric Fried
podman enablement

- Podman and docker use different mechanisms to override the default
path to the credentials cache. Accommodate both.
- Podman and docker use different transport prefixes to reference
locally built images via skopeo. Accommodate both.
- Expand addition of `--userns keep-id` and `-v ...:Z` to more places.
- Resolve OSD-6941 by detecting the container engine in
catalog-build.sh.

Co-Authored-By: @dofinn

commit: 2ceeef142460be66ac28fb9f9fbcd42d64c89d9d
author: Eric Fried
Support CRD v1 (optional)

By default, `make op-generate` will now generate CRD v1.

Setting the `make` variable `CRD_VERSION=v1beta1` will override this
behavior and build v1beta1 as before.

OSD-5869

commit: fd46dd207919143b42db39ea73b20a0ae530aa5c
author: Eric Fried
Remove codecov secret mapping stuff

This is no longer applicable since the move to self-service vault.

commit: deb98557f3fe39ba318e9890e93aac5d6a72a739
author: Eric Fried
Skip update/revert test case if at master

If we're already at master (which happens e.g. during rehearsals on CI
config updates), the 04-update-from-master-and-revert test is a) silly,
and b) going to fail when attempting `boilerplate-commit` because
there's nothing to update and therefore nothing to commit. Add logic to
short out of this test case in this scenario.

commit: 7ac2a583973b4799c685d701d784624bb815b729
author: Dominic Finn
Update boilerplate/_lib/container-make

commit: 42e4047700fbf04e5ee984a092562208ed33bc14
author: Dominic Finn
Update boilerplate/_lib/container-make

commit: 7dd43153c50332aa1cc9ba02db6231a3b026edcb
author: Dominic Finn
enable make generate locally

commit: 2714e7c4a11d931ee8272b55c49445437ce2273a
author: Eric Fried
image-v2.1.0: add `gh`

Add the `gh` (GitHub CLI) executable to the backing image so CICD jobs
can do consumer reports.

Part of OSD-5962

commit: 8bc4fa86071070d417e81170b1f6c37ea8c4756e
author: Eric Fried
Add `make subscriber-report`

Create a `make` target that runs subscriber reports. The intent is to
run this in a postsubmit prow job, the results of which will
(eventually) be posted somewhere/somehow.

Currently only runs `onboarding` and `release` subcommands, as the `pr`
subcommand requires the `gh` CLI to be installed and authenticated.

Part of OSD-5962

commit: 32bbc81aae1388f638cdecc29f0457344a369bef
author: Eric Fried
image-v2.0.1: Ratchet base to image-v2.0.0

To speed up boilerplate CI, ratchet prow's Dockerfile to build FROM
`image-v2.0.0`.

commit: ac77c2b43941a96dcd9b133bbc57772814c3a2da
author: Eric Fried
image-v2.0.0: Get rid of operator-sdk generate

Remove invocations of and support for `operator-sdk generate`, replacing
these with the corresponding `controller-gen` calls in the `op-generate`
target of openshift/golang-osd-operator's standard.mk.

The operator-sdk-generate.sh helper script is removed. We invoke
controller-gen directly from the `make` target.

We need to preserve and add to the post-CRD-gen `yq` hacks to produce
CRDs compatible with both v3 and v4. These should be able to go away
once 3.11 is dead. (At that time we'll also need to flag controller-gen
to produce CRD v1 instead of v1beta1.)

As written, this will work for consumers whether their APIs are packaged
separately (as in e.g.
openshift/aws-account-operator#580) or not.

With this commit, we produce a fresh backing image that omits the
operator-sdk binaries, but is otherwise the same as image-v1.0.1.

With this commit, we're rebuilding the backing image from scratch, so
the prow and jenkins Dockerfiles are the same. A subsequent commit will
ratchet the former to be based on image-v2.0.0 to speed up builds, in a
spirit similar to #164.

OSD-7352
OSD-7353

commit: 6b7309ab8cb31ca402961f832346fdafea06574b
author: Eric Fried
Document picking up fixes in the backing image

commit: f156e7bf09eabdd45fccd1a898c92f53a8061ae5
author: Eric Fried
image-v1.0.1: Ratchet base image to 1.0.0

To make presumbit CI faster, this commit ratchets up the CI image build
to "start" from the previously-released image, `image-v1.0.0`.

The original build.sh is renamed and a fresh build.sh is introduced. The
latter is currently a no-op; subsequent image releases can add to it.

An app-sre-specific Dockerfile combines all the build scripts to
do a full build from scratch in the appsre pipeline.

There is no functional change to the image itself.

OSD-7253

commit: 26e72e939a3d0efd4492a94c890ed8148d659654
author: Sebastian Łaskawiec
Unbound error fix for the new operators

Author: Ajpantuso

Diff for: .ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v1.0.0
+  tag: image-v2.3.2

Diff for: .codecov.yml

@@ -24,3 +24,7 @@ comment:
   layout: "reach,diff,flags,tree"
   behavior: default
   require_changes: no
+
+ignore:
+  - "**/mocks"
+  - "**/zz_generated*.go"

Diff for: boilerplate/_data/backing-image-tag

@@ -1 +1 @@
-image-v1.0.0
+image-v2.3.2

Diff for: boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-b0a20637c47d7d94d6bdadbb2660b4f081526015
+f1ce2ebcab3cd03ddb7c46d1c8c96a810d5d5ca1

Diff for: boilerplate/_lib/container-make

@@ -9,23 +9,26 @@ fi
 
 source ${0%/*}/common.sh
 
-CONTAINER_ENGINE=$(command -v podman || command -v docker)
+CONTAINER_ENGINE="${CONTAINER_ENGINE:-$(command -v podman || command -v docker)}"
 [[ -n "$CONTAINER_ENGINE" ]] || err "Couldn't find a container engine. Are you already in a container?"
 
-CONTAINER_ENGINE_SHORT=${CONTAINER_ENGINE##*/}
-
 # Make sure the mount inside the container is named in such a way that
 # - openapi-gen (which relies on GOPATH) produces absolute paths; and
 # - other go-ish paths are writeable, e.g. for `go mod download`.
 CONTAINER_MOUNT=/go/src/$(repo_import $REPO_ROOT)
 
 # First set up a detached container with the repo mounted.
 banner "Starting the container"
-if [[ $CONTAINER_ENGINE_SHORT == "podman" ]]; then
-		container_id=$($CONTAINER_ENGINE run --userns keep-id -d -v "$REPO_ROOT":"$CONTAINER_MOUNT":Z $IMAGE_PULL_PATH tail -f /dev/null)
+if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]]; then
+    if [[ $OSTYPE == *"darwin"* ]]; then
+        CE_OPTS="--userns keep-id -v $REPO_ROOT:$CONTAINER_MOUNT"
+    else
+        CE_OPTS="--userns keep-id -v $REPO_ROOT:$CONTAINER_MOUNT:Z"
+    fi
 else
-		container_id=$($CONTAINER_ENGINE run -d -v "$REPO_ROOT":"$CONTAINER_MOUNT" $IMAGE_PULL_PATH tail -f /dev/null)
+    CE_OPTS="-v $REPO_ROOT:$CONTAINER_MOUNT"
 fi
+container_id=$($CONTAINER_ENGINE run -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity)
 
 if [[ $? -ne 0 ]] || [[ -z "$container_id" ]]; then
   err "Couldn't start detached container"

Diff for: boilerplate/_lib/subscriber-propose

@@ -7,7 +7,6 @@ declare -A SUBCOMMANDS
 SUBCOMMANDS=(
     # TODO:
     # [bootstrap]='Bootstrap a new subscriber'
-    # [codecov-secret-mapping]='Propose codecov secret mapping to openshift/release'
     # [prow-config]='Propose standardized prow configuration to openshift/release'
     [update]='Update an already-onboarded subscriber'
 )

Diff for: boilerplate/openshift/golang-osd-operator/.codecov.yml

@@ -24,3 +24,7 @@ comment:
   layout: "reach,diff,flags,tree"
   behavior: default
   require_changes: no
+
+ignore:
+  - "**/mocks"
+  - "**/zz_generated*.go"

Diff for: boilerplate/openshift/golang-osd-operator/README.md

@@ -14,6 +14,7 @@ This convention is suitable for both cluster- and hive-deployed operators.
 The following components are included:
 
 ## `make` targets and functions.
+
 **Note:** Your repository's main `Makefile` needs to be edited to include the
 "nexus makefile include":
 
@@ -28,7 +29,7 @@ following:
 ### Prow
 
 | Test name / `make` target | Purpose                                                                                                         |
-|---------------------------|-----------------------------------------------------------------------------------------------------------------|
+| ------------------------- | --------------------------------------------------------------------------------------------------------------- |
 | `validate`                | Ensure code generation has not been forgotten; and ensure generated and boilerplate code has not been modified. |
 | `lint`                    | Perform static analysis.                                                                                        |
 | `test`                    | "Local" unit and functional testing.                                                                            |
@@ -48,18 +49,26 @@ $ make RELEASE_CLONE=/home/me/github/openshift/release prow-config
 ```
 
 This will generate a delta configuring prow to:
+
 - Build your `build/Dockerfile`.
 - Run the above targets in presubmit tests.
 - Run the `coverage` target in a postsubmit. This is the step that
   updates your coverage report in codecov.io.
 
 #### Local Testing
+
 You can run these `make` targets locally during development to test your
 code changes. However, differences in platforms and environments may
 lead to unpredictable results. Therefore boilerplate provides a utility
 to run targets in a container environment that is designed to be as
 similar as possible to CI:
 
+```shell
+$ make container-{target}
+```
+
+or
+
 ```shell
 $ ./boilerplate/_lib/container-make {target}
 ```
@@ -72,27 +81,15 @@ By default it is configured to be run from the app-sre jenkins pipelines.
 Consult [this doc](app-sre.md) for information on local execution/testing.
 
 ## Code coverage
+
 - A `codecov.sh` script, referenced by the `coverage` `make` target, to
-run code coverage analysis per [this SOP](https://github.com/openshift/ops-sop/blob/93d100347746ce04ad552591136818f82043c648/services/codecov.md).
+  run code coverage analysis per [this SOP](https://github.com/openshift/ops-sop/blob/93d100347746ce04ad552591136818f82043c648/services/codecov.md).
 
 - A `.codecov.yml` configuration file for
   [codecov.io](https://docs.codecov.io/docs/codecov-yaml). Note that
   this is copied into the repository root, because that's
   [where codecov.io expects it](https://docs.codecov.io/docs/codecov-yaml#can-i-name-the-file-codecovyml).
 
-- A `make` target to [request the secret mapping in openshift/release](https://github.com/openshift/ops-sop/blob/be43125239deb1f2bbc1ef54f010410e97ff6146/services/codecov.md#openshiftrelease-pr-1---secret-mapping):
-
-```shell
-$ make codecov-secret-mapping
-```
-
-If you already have the openshift/release repository cloned locally, you
-may specify its path via `$RELEASE_CLONE`:
-
-```shell
-$ make RELEASE_CLONE=/home/me/github/openshift/release codecov-secret-mapping
-```
-
 ## Linting and other static analysis with `golangci-lint`
 
 - A `go-check` `make` target, which
@@ -107,13 +104,35 @@ The convention embeds default checks to ensure generated code generation is curr
 To trigger the check, you can use `make generate-check` provided your Makefile properly includes the boilerplate-generated include `boilerplate/generated-includes.mk`.
 
 Checks consist of:
-* Checking all files are committed to ensure a safe point to revert to in case of error
-* Running the `make generate` command (see below) to regenerate the needed code
-* Checking if this results in any new uncommitted files in the git project or if all is clean.
+
+- Checking all files are committed to ensure a safe point to revert to in case of error
+- Running the `make generate` command (see below) to regenerate the needed code
+- Checking if this results in any new uncommitted files in the git project or if all is clean.
 
 `make generate` does the following:
-* `operator-sdk generate crds` and `k8s`. This is a no-op if your
+
+- generate crds and deepcopy via controller-gen. This is a no-op if your
   operator has no APIs.
-* `openapi-gen`. This is a no-op if your operator has no APIs.
-* `go generate`. This is a no-op if you have no `//go:generate`
+- `openapi-gen`. This is a no-op if your operator has no APIs.
+- `go generate`. This is a no-op if you have no `//go:generate`
   directives in your code.
+
+## FIPS (Federal Information Processing Standards)
+
+To enable FIPS in your build there is a `make ensure-fips` target.
+
+Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles.
+
+e.g.
+
+```.mk
+FIPS_ENABLED=true
+
+include boilerplate/generated-includes.mk
+```
+
+`ensure-fips` will add a [fips.go](./fips.go) file in the same directory as the `main.go` file. (Please commit this file as normal)
+
+`fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings.
+
+With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build`

Diff for: boilerplate/openshift/golang-osd-operator/app-sre-build-deploy.sh

@@ -68,6 +68,6 @@ for channel in staging production; do
         echo "properly. Nothing to do!"
     else
         # build the CSV and create & push image catalog for the appropriate channel
-        make ${channel}-common-csv-build ${channel}-catalog-build ${channel}-catalog-publish
+        make ${channel}-csv-build ${channel}-catalog-build ${channel}-catalog-publish
     fi
 done

Diff for: boilerplate/openshift/golang-osd-operator/app-sre.md

@@ -21,6 +21,17 @@ If not, you will need to set the `IMAGE_REGISTRY` environment variable (see [bel
 The SaaS bundle repository for `$OPERATOR_NAME` should be located at `https://gitlab.cee.redhat.com/service/saas-{operator}-bundle`, e.g. https://gitlab.cee.redhat.com/service/saas-deadmanssnitch-operator-bundle.
 Fork it to your personal namespace.
 
+If you have already forked it to your personal namespace and/or used your fork for testing app-sre scripts at some time in the past, it is recommended that you bring your fork in sync with how upstream appears, or else the catalog you test with may not work correctly when deployed.
+
+An example of how to do this for the `staging` branch is below (`production` steps are the same):
+
+```
+git checkout staging
+git pull upstream staging
+git reset --hard upstream/staging                
+git push origin staging --force                                                                            
+```
+
 ## Set environment variables
 ```bash
 # The process creates artifacts in your git clone. Some of the make targets

Diff for: boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh

@@ -71,7 +71,7 @@ function check_bundle_contents_cmd() {
 # Check we are running an opm supported container engine
 function check_opm_supported_container_engine() {
     local image_builder=${1}
-    if [[ "$image_builder" != "docker" && "$image_builder" != "podman" ]]; then
+    if [[ "$image_builder" != docker* && "$image_builder" != "podman" ]]; then
         # opm error messages are obscure. Let's make this clear
         log "image_builder $image_builder is not one of docker or podman"
         return 1
@@ -320,6 +320,14 @@ function main() {
     local versions
     # shellcheck disable=SC2207
     versions=($(get_prev_operator_version "$bundle_versions_file"))
+    # This condition is triggered when an operator is built for the first time. In such case the
+    # get_prev_operator_version returns an empty string and causes undefined variables failures
+    # in a few lines below.
+    if [ -z ${versions+x} ]
+    then
+        versions[0]=""
+        versions[1]=""
+    fi
     local prev_operator_version="${versions[0]}"
     local prev_good_operator_version="${versions[1]}"
     local skip_versions=("${versions[@]:2}")

Diff for: boilerplate/openshift/golang-osd-operator/codecov-secret-mapping

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -e
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+CONVENTION_DIR="$REPO_ROOT/boilerplate/openshift/golang-osd-operator"
+PRE_V1_SDK_MANAGER_DIR="$REPO_ROOT/cmd/manager"
+
+if [[ -d "$PRE_V1_SDK_MANAGER_DIR" ]]
+then
+  MAIN_DIR=$PRE_V1_SDK_MANAGER_DIR
+else
+  MAIN_DIR=$REPO_ROOT
+fi
+
+echo "Writing fips file at $MAIN_DIR/fips.go"
+
+cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go"

Diff for: boilerplate/openshift/golang-osd-operator/configure-fips.sh

@@ -23,6 +23,13 @@ while getopts "o:c:r:" option; do
     esac
 done
 
+# Detect the container engine to use, allowing override from the env
+CONTAINER_ENGINE=${CONTAINER_ENGINE:-$(command -v podman || command -v docker || true)}
+if [[ -z "$CONTAINER_ENGINE" ]]; then
+    echo "WARNING: Couldn't find a container engine! Defaulting to docker."
+    CONTAINER_ENGINE=docker
+fi
+
 # Checking parameters
 check_mandatory_params operator_channel operator_name
 
@@ -56,13 +63,29 @@ EOF
 
 # Build registry
 cat <<EOF > $DOCKERFILE_REGISTRY
-FROM quay.io/openshift/origin-operator-registry:4.8.0
+FROM quay.io/openshift/origin-operator-registry:4.10.0 AS builder
 COPY $SAAS_OPERATOR_DIR manifests
 RUN initializer --permissive
+
+FROM registry.access.redhat.com/ubi8/ubi-micro:8.6-484
+
+COPY --from=builder /bin/registry-server /bin/registry-server
+COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe
+COPY --from=builder /bin/initializer /bin/initializer
+
+WORKDIR /registry
+RUN chgrp -R 0 /registry && chmod -R g+rwx /registry
+
+USER 1001
+
+COPY --from=builder /registry /registry
+
+EXPOSE 50051
+
 CMD ["registry-server", "-t", "/tmp/terminate.log"]
 EOF
 
-docker build -f $DOCKERFILE_REGISTRY --tag "${registry_image}:${operator_channel}-latest" .
+${CONTAINER_ENGINE} build --pull -f $DOCKERFILE_REGISTRY --tag "${registry_image}:${operator_channel}-latest" .
 
 if [ $? -ne 0 ] ; then
     echo "docker build failed, exiting..."

Diff for: boilerplate/openshift/golang-osd-operator/csv-generate/catalog-build.sh

@@ -41,6 +41,17 @@ BUNDLE_DIR="${SAAS_OPERATOR_DIR}/${operator_name}"
 OPERATOR_NEW_VERSION=$(ls "${BUNDLE_DIR}" | sort -t . -k 3 -g | tail -n 1)
 OPERATOR_PREV_VERSION=$(ls "${BUNDLE_DIR}" | sort -t . -k 3 -g | tail -n 2 | head -n 1)
 
+# Get container engine
+CONTAINER_ENGINE=$(command -v podman || command -v docker || true)
+[[ -n "$CONTAINER_ENGINE" ]] || echo "WARNING: Couldn't find a container engine. Assuming you already in a container, running unit tests." >&2
+
+# Set SRC container transport based on container engine
+if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]]; then
+    SRC_CONTAINER_TRANSPORT="containers-storage"
+else
+    SRC_CONTAINER_TRANSPORT="docker-daemon"
+fi
+
 # Checking SAAS_OPERATOR_DIR exist
 if [ ! -d "${SAAS_OPERATOR_DIR}/.git" ] ; then
     echo "${SAAS_OPERATOR_DIR} should exist and be a git repository"
@@ -85,7 +96,7 @@ popd
 if [ "$push_catalog" = true ] ; then
     # push image
     skopeo copy --dest-creds "${QUAY_USER}:${QUAY_TOKEN}" \
-        "docker-daemon:${registry_image}:${operator_channel}-latest" \
+        "${SRC_CONTAINER_TRANSPORT}:${registry_image}:${operator_channel}-latest" \
         "docker://${registry_image}:${operator_channel}-latest"
 
     if [ $? -ne 0 ] ; then
@@ -94,7 +105,7 @@ if [ "$push_catalog" = true ] ; then
     fi
 
     skopeo copy --dest-creds "${QUAY_USER}:${QUAY_TOKEN}" \
-        "docker-daemon:${registry_image}:${operator_channel}-latest" \
+        "${SRC_CONTAINER_TRANSPORT}:${registry_image}:${operator_channel}-latest" \
         "docker://${registry_image}:${operator_channel}-${operator_commit_hash}"
 
     if [ $? -ne 0 ] ; then